H3C S5120-SI Series Configuration Manual

Page 2

Copyright © 2009-2011, hangzhou h3c technologies co., ltd. And its licensors all rights reserved no part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of hangzhou h3c technologies co., ltd. Trademarks h3c, , aolynk, , h 3 care, , top g, , i...

Page 4: About This Document

2-1 1 about this document audience this documentation is intended for: z network planners z field technical support and servicing engineers z network administrators working with the s5120-si series organization the h3c s5120-si series ethernet switches configuration guide, release 1101 comprises the...

Page 6

2-3 chapter content 19-qos z configuring qos policy z configuring priority mapping z configuring line rate z configuring sp, wrr, and sp+wrr queuing z configuring traffic filtering z configuring traffic redirecting 20-802.1x z 802.1x basic configuration z 802.1x extended configuration z 802.1x guest...

Page 8: Conventions

2-5 conventions this section describes the conventions used in this documentation set. Command conventions convention description boldface bold text represents commands and keywords that you enter literally as shown. Italic italic text represents arguments that you replace with actual values. [ ] sq...

Page 10: Technical Support

2-2 z [technical support & documents > software download] – provides the documentation released with the software version. Technical support customer_service@h3c.Com http://www.H3c.Com documentation feedback you can e-mail your comments about product documentation to info@h3c.Com. We appreciate your...

Page 12

3-2 distribution layer switches deploy the s5120-si series at the distribution layer of a medium- and large-sized enterprise or campus network to provide high-performance and large-capacity switching service. Figure 3-1 an enterprise network access switches the s5120-si series can serve as access sw...

Page 14: Table of Contents

1 table of contents 1 cli configuration ······································································································································1-1 what is cli? ·············································································································...

Page 16

1-2 z through telnet. For more information, see entering cli through telnet . Z through ssh with encryption. For more information, see ssh2.0 configuration. Entering cli through the console port when you use the cli of an h3c switch for the first time, you can log in to the switch and enter the cli ...

Page 18

1-4 figure 1-5 set the properties of the serial port 5) the hyperterminal window as shown in figure 1-6 appears. Figure 1-6 the hyperterminal window.

Page 20

1-6 figure 1-8 schematic diagram for successful login through the console port entering cli through telnet after you log in to your switch through the console port for the first time, it is recommended that you configure telnet login as soon as possible, so that you can use a remote terminal to conf...

Page 22

1-8 table 1-2 command conventions convention description boldface the keywords of a command line are in boldface. Keep keywords unchanged when typing them in the cli. Italic command arguments are in italic. Replace arguments with actual values in the cli. [ ] items (keywords or arguments) in square ...

Page 24

1-10 login command views command view description command to enter example user-interface aux [sysname] user-interface aux 0 [sysname-ui-aux0] user interface view after entering this view, you can configure user interface parameters. User-interface vty [sysname] user-interface vty 0 [sysname-ui-vty0...

Page 26

1-12 command view description command to enter example priority mapping table view enter priority mapping table view and configure mappings in this view. Qos map-table [sysname] qos map-table dot1p-dp [sysname-maptbl-dot1p-dp] isp domain view z create an isp domain and enter its view. Z after enteri...

Page 28: Tips On Using The Cli

1-14 command view description command to enter example ftp client view z enter ftp client view to configure ftp parameters. Ftp ftp [ftp] tips on using the cli using the cli online help in the cli, you can type a question mark (?) to obtain detailed online help. See the following examples. Type ? In...

Page 30

1-16 key function left arrow key or ctrl+b the cursor moves one character space to the left. Right arrow key or ctrl+f the cursor moves one character space to the right. Tab if you press tab after entering part of a keyword, the system automatically completes the keyword: z if finding a unique match...

Page 32

1-18 for the support of the display commands for regular expressions, see the corresponding command reference. There are two ways to filter output information. Z input the begin, exclude, or include keyword plus a regular expression in the display command to filter the output information. Z when the...

Page 34

1-20 anti-interruption for command input anti-interruption for command input refers to the feature that if your input is interrupted by system output, then after the completion of system output the system displays a command line prompt and your input so far, and you can continue your operations from...

Page 36

Ii configuration example····························································································································4-2 5 logging in through nms··························································································································5-...

Page 38

1-2 z vty user interfaces: numbered after aux user interfaces and increases in the step of 1 2) a relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface type. The relative user interface indexes are as follows...

Page 40: Introduction

2-1 2 logging in through the console port when logging in through the console port, go to these sections for information you are interested in: z introduction z setting up the connection to the console port z console port login configuration z console port login configuration with authentication mod...

Page 42

2-3 figure 2-4 set port parameters terminal window z turn on the switch. The user will be prompted to press the enter key if the switch successfully completes post (power-on self test). The prompt (such as ) appears after the user presses the enter key. Z you can then configure the switch or check t...

Page 44: None

2-5 authentication mode console port login configuration description specify to perform local authentication or radius authentication aaa configuration specifies whether to perform local authentication or radius authentication optional local authentication is performed by default. Refer to the aaa c...

Page 47: Password

2-8 # specify commands of level 2 are available to the user logging in to the aux user interface. [sysname-ui-aux0] user privilege level 2 # set the baud rate of the console port to 19200 bps. [sysname-ui-aux0] speed 19200 # set the maximum number of lines the screen can contain to 30. [sysname-ui-a...

Page 50: Scheme

2-11 [sysname] user-interface aux 0 # specify to authenticate the user logging in through the console port using the local password. [sysname-ui-aux0] authentication-mode password # set the local password to 123456 (in plain text). [sysname-ui-aux0] set authentication password simple 123456 # specif...

Page 54: Introduction

3-1 3 logging in through telnet/ssh when logging in through telnet, go to these sections for information you are interested in: z introduction z telnet configuration with authentication mode being none z telnet configuration with authentication mode being password z telnet configuration with authent...

Page 56

3-3 figure 3-2 launch telnet step 5: enter the password when the telnet window displays “login authentication” and prompts for login password. The cli prompt (such as ) appears if the password is correct. If all vty user interfaces of the switch are in use, you will fail to establish the connection ...

Page 58

3-5 z the auto-execute command command may cause you unable to perform common configuration in the user interface, so use it with caution. Z before executing the auto-execute command command and save your configuration, make sure you can log in to the switch in other modes and cancel the configurati...

Page 60

3-7 note that if you configure not to authenticate the users, the command level available to users logging in to a switch depends on both the authentication-mode none command and the user privilege level level command, as listed in table 3-4 . Table 3-4 determine the command level when users logging...

Page 62

3-9 to do… use the command… remarks set the maximum number of lines the screen can contain screen-length screen-length optional by default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Set the history command ...

Page 65

3-12 to do… use the command… remarks make terminal services available shell optional terminal services are available in all use interfaces by default. Set the maximum number of lines the screen can contain screen-length screen-length optional by default, the screen can contain up to 24 lines. You ca...

Page 67: Management System

4-1 4 logging in through web-based network management system introduction an s5120-si series switch has a web server built in. You can log in to an s5120-si series switch through a web browser and manage and maintain the switch intuitively by interacting with the built-in web server. To log in to an...

Page 69

4-3 step 4: log in to the switch through ie. Launch ie on the web-based network management terminal (your pc) and enter the ip address of the management vlan interface of the switch (here it is http://10.153.17.82). (make sure the route between the web-based network management terminal and the switc...

Page 71: Introduction

6-1 6 specifying source for telnet packets when specifying source ip address/interface for telnet packets, go to these sections for information you are interested in: z introduction z specifying source ip address/interface for telnet packets z displaying the source ip address/interface specified for...

Page 75

7-3 controlling telnet users by source mac addresses this configuration needs to be implemented by layer 2 acl; a layer 2 acl ranges from 4000 to 4999. For the definition of acl, refer to acl configuration. Follow these steps to control telnet users by source mac addresses: to do… use the command… r...

Page 78

7-6 network diagram figure 7-2 network diagram for controlling snmp users using acls switch 10.110.100.46 host a ip network host b 10.110.100.52 configuration procedure # define a basic acl. System-view [sysname] acl number 2000 match-order config [sysname-acl-basic-2000] rule 1 permit source 10.110...

Page 81: Table of Contents

I table of contents 1 ethernet port configuration ·····················································································································1-1 basic ethernet port configuration································································································...

Page 85

1-4 figure 1-2 internal loopback testing z external loopback testing, which tests the hardware of ethernet ports. As shown in figure 1-3 , external loopback testing is performed on port 1. To perform external loopback testing on an ethernet port, insert a loopback plug into the port. During the exte...

Page 87

1-6 configuring traffic storm protection a traffic storm occurs when a large amount of broadcast, multicast, or unicast packets congest a network. The s5120-si switches provide two storm protection approaches: z storm suppression, which enables you to limit the size of monitored traffic passing thro...

Page 89

1-8 to do… use the command… remarks specify to send trap messages when the traffic detected exceeds the upper threshold or drops down below the lower threshold from a point higher than the upper threshold storm-constrain enable trap optional by default, the system sends trap messages when the traffi...

Page 91

1-10 to do… use the command… remarks configure the interval for port loopback detection loopback-detection interval-time time optional 30 seconds by default enter ethernet port view interface interface-type interface-number — enable loopback detection on a port loopback-detection enable required dis...

Page 93

1-12 to do… use the command… remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — test the cable connected to the ethernet port once virtual-cable-test required displaying and maintaining an ethernet port to do… use the command… remarks display...

Page 95: Configuration

1-1 1 loopback interface and null interface configuration when configuring loopback interfaces and null interfaces, go to these sections for information you are interested in: z loopback interface z null interface z displaying and maintaining loopback and null interfaces loopback interface introduct...

Page 97

1-3 to do… use the command… remarks enter system view system-view — enter null interface view interface null 0 required the null 0 interface is the default null interface on your device. It cannot be manually created or removed. Set a description for the null interface description text optional by d...

Page 99: Overview

1-1 1 ethernet link aggregation configuration this chapter includes these sections: z overview z ethernet link aggregation configuration task list z configuring an aggregation group z configuring an aggregate interface z displaying and maintaining ethernet link aggregation z ethernet link aggregatio...

Page 101

1-3 z class-two configurations made on an aggregate interface are automatically synchronized to all its member ports. These configurations are retained on the member ports even after the aggregate interface is removed. Z any class-two configuration change may affect the aggregation state of link agg...

Page 103

1-5 aggregating links in static mode lacp is disabled on the member ports in a static aggregation group. The aggregation state of the member ports must be maintained manually. Static link aggregation comprises: z selecting a reference port z setting the aggregation state of each member port selectin...

Page 105

1-7 figure 1-3 set the state of a member port in a dynamic aggregation group no more candidate ports than allowed max. Number of selected ports? Is the port up? Is there any hardware restriction? Port number low enough to put the port within the limit? Set the aggregation state of a member port set ...

Page 107

1-9 to do... Use the command... Remarks create a layer 2 aggregate interface and enter the layer 2 aggregate interface view interface bridge-aggregation interface-number required when you create a layer 2 aggregate interface, the system automatically creates a layer 2 static aggregation group number...

Page 110

1-12 to do... Use the command... Remarks clear statistics for a specific or all aggregate interfaces reset counters interface [ bridge-aggregation } [ interface-number ] ] available in user view ethernet link aggregation configuration examples in an aggregation group, only ports that have the same p...

Page 112

1-14 bagg -- bridge-aggregation, ragg -- route-aggregation aggregation mode: s -- static, d -- dynamic loadsharing type: shar -- loadsharing, nons -- non-loadsharing actor system id: 0x8000, 000f-e2ff-0001 agg agg partner id select unselect share interface mode ports ports type ---------------------...

Page 114

1-16 ------------------------------------------------------------------------------- bagg1 d 0x8000, 000f-e2ff-0002 3 0 shar the output shows that link aggregation group 1 is a load sharing layer 2 dynamic aggregation group and it contains three selected ports..

Page 116: Port Isolation Configuration

1-1 1 port isolation configuration when configuring port isolation, go to these sections for information you are interested in: z introduction to port isolation z configuring an isolation group for a multiple-isolation-group device z displaying and maintaining isolation groups z port isolation confi...

Page 118

1-3 [device-gigabitethernet1/0/1] port-isolate enable group 2 [device-gigabitethernet1/0/1] quit [device] interface gigabitethernet 1/0/2 [device-gigabitethernet1/0/2] port-isolate enable group 2 [device-gigabitethernet1/0/2] quit [device] interface gigabitethernet 1/0/3 [device-gigabitethernet1/0/3...

Page 120: Port Mirroring Configuration

1-1 1 port mirroring configuration when configuring port mirroring, go to these sections for information you are interested in: z introduction to port mirroring z configuring local port mirroring z displaying and maintaining port mirroring z port mirroring configuration examples introduction to port...

Page 122

1-3 z a local mirroring group takes effect only after you configure a monitor port and mirroring ports for it. Z to ensure the smooth operation of your device, do not enable stp, mstp, or rstp on the monitor port. Z you are recommended to use a monitor port only for port mirroring. This is to ensure...

Page 124: Table of Contents

I table of contents 1 lldp configuration···································································································································1-1 overview ····················································································································...

Page 126

1-2 figure 1-1 ethernet ii-encapsulated lldpdu format the fields in the frame are described in table 1-1 : table 1-1 description of the fields in an ethernet ii-encapsulated lldpdu field description destination mac address the mac address to which the lldpdu is advertised. It is fixed to 0x0180-c200...

Page 128

1-4 type description remarks system name assigned name of the sending device system description description of the sending device system capabilities identifies the primary functions of the sending device and the enabled primary functions management address management address, and the interface numb...

Page 130: Lldp Configuration Task List

1-6 can configure a re-initialization delay. With this delay configured, a port must wait for the specified interval before it can initialize lldp after the lldp operating mode changes. Transmitting lldpdus an lldp-enabled port operating in txrx mode or tx mode sends lldpdus to its directly connecte...

Page 132

1-8 setting the lldp re-initialization delay when lldp operating mode changes on a port, the port initializes the protocol state machines after a certain delay. By adjusting the lldp re-initialization delay, you can avoid frequent initializations caused by frequent lldp operating mode changes on a p...

Page 135

1-11 to do… use the command… remarks enter layer 2 ethernet port view interface interface-type interface-number enter ethernet port view or port group view enter port group view port-group manual port-group-name required use either command set the encapsulation format for lldpdus to snap lldp encaps...

Page 138

1-14 # enable lldp on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 (you can skip this step because lldp is enabled on ports by default), and set the lldp operating mode to rx. [switcha] interface gigabitethernet 1/0/1 [switcha-gigabitethernet1/0/1] lldp enable [switcha-gigabitethernet1/0/1] lldp ...

Page 140

1-16 number of med neighbors : 0 number of cdp neighbors : 0 number of sent optional tlv : 0 number of received unknown tlv : 0 as the sample output shows, gigabitethernet 1/0/2 of switch a does not connect to any neighboring devices. Cdp-compatible lldp configuration example network requirements as...

Page 142: Table of Contents

I table of contents 1 vlan configuration ··································································································································1-1 introduction to vlan ········································································································...

Page 144

1-2 2) improving lan security. By assigning user groups to different vlans, you can isolate them at layer 2. To enable communication between vlans, routers or layer 3 switches are required. 3) flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same vlan rega...

Page 146

1-4 z as the default vlan, vlan 1 cannot be created or removed. Z you cannot manually create or remove vlans reserved for special purposes. Z dynamic vlans cannot be removed with the undo vlan command. Z a vlan with a qos policy applied cannot be removed. Configuring basic settings of a vlan interfa...

Page 148

1-6 actions (in the inbound direction) port type untagged frame tagged frame actions (in the outbound direction) access tag the frame with the default vlan tag. Z receive the frame if its vlan id is the same as the default vlan id. Z drop the frame if its vlan id is different from the default vlan i...

Page 150

1-8 to do… use the command… remarks enter ethernet interface view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter interface view or port group view enter port group view port-group manual port-group-name required us...

Page 152: Vlan Configuration Example

1-10 to do... Use the command… remarks [ interface-number ] ] vlan configuration example network requirements z device a connects to device b through a trunk port gigabitethernet 1/0/1; z the default vlan id of gigabitethernet 1/0/1 is 100; z gigabitethernet 1/0/1 allows packets from vlan 2, vlan 6 ...

Page 154: Voice Vlan Configuration

2-1 2 voice vlan configuration when configuring a voice vlan, go to these sections for information you are interested in: z overview z configuring a voice vlan z displaying and maintaining voice vlan z voice vlan configuration overview as voice communication technologies grow more mature, voice devi...

Page 156

2-3 figure 2-2 only ip phones access the network both modes forward tagged packets according to their tags. The following tables list the required configurations on ports of different link types in order for these ports to support tagged or untagged voice traffic sent from ip phones when different v...

Page 158: Configuring A Voice Vlan

2-5 the port forwards all received untagged packets in the voice vlan. In normal mode, the voice vlans are vulnerable to traffic attacks. Vicious users can forge a large amount of voice packets and send them to voice vlan-enabled ports to consume the voice vlan bandwidth, affecting normal voice comm...

Page 160

2-7 to do... Use the command... Remarks add a recognizable oui address voice vlan mac-address oui mask oui-mask[ description text] optional by default, each voice vlan has default oui addresses configured. Refer to table 2-1 for the default oui addresses of different vendors. Enter interface view in...

Page 162

2-9 # configure the allowed oui addresses as mac addresses prefixed by 0011-2200-0000. In this way, device a identifies packets whose mac addresses match any of the configured oui addresses as voice packets. [devicea] voice vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description ip phone b #...

Page 164

2-11 0001-e300-0000 ffff-ff00-0000 siemens phone 0003-6b00-0000 ffff-ff00-0000 cisco phone 0004-0d00-0000 ffff-ff00-0000 avaya phone 0011-2200-0000 ffff-ff00-0000 test 00d0-1e00-0000 ffff-ff00-0000 pingtel phone 0060-b900-0000 ffff-ff00-0000 philips/nec phone 00e0-7500-0000 ffff-ff00-0000 polycom ph...

Page 166: Mstp Configuration

1-1 1 mstp configuration this chapter includes these sections: z overview z introduction to stp z introduction to rstp z introduction to mstp z mstp configuration task list z configuring mstp z displaying and maintaining mstp z mstp configuration example overview as a layer 2 management protocol, th...

Page 168

1-3 figure 1-1 a schematic diagram of designated bridges and designated ports path cost path cost is a reference value used for link selection in stp. By calculating path costs, stp selects relatively robust links and blocks redundant links, and finally prunes the network into a loop-free tree. How ...

Page 170

1-5 step description 2 based on the configuration bpdu and the path cost of the root port, the device calculates a designated port configuration bpdu for each of the rest ports. Z the root bridge id is replaced with that of the configuration bpdu of the root port. Z the root path cost is replaced wi...

Page 172

1-7 device comparison process bpdu of port after comparison z port cp1 receives the configuration bpdu of device a {0, 0, 0, ap2}. Device c finds that the received configuration bpdu is superior to the configuration bpdu of the local port {2, 0, 2, cp1}, and updates the configuration bpdu of cp1. Z ...

Page 174: Introduction to Rstp

1-9 for this reason, as a mechanism for state transition in stp, the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration bpdu has propagated throughout the network. Z hello time is the time i...

Page 176

1-11 z they have the same mstp revision level configuration, and z they are physically linked with one another. For example, all the devices in region a0 in figure 1-4 have the same mst region configuration: z the same region name, z the same vlan-to-instance mapping configuration (vlan 1 is mapped ...

Page 178

1-13 figure 1-5 port roles connecting to the common root bridge port 1 port 2 master port alternate port designated port port 3 port 4 port 5 a b c d port 6 backup port mst region figure 1-5 helps understand these concepts. In this figure: z devices a, b, c, and d constitute an mst region. Z port 1 ...

Page 180: Mstp Configuration Task List

1-15 protocols and standards mstp is documented in: z ieee 802.1d: media access control (mac) bridges z ieee 802.1w: part 3: media access control (mac) bridges—amendment 2: rapid reconfiguration z ieee 802.1s: virtual bridged local area networks—amendment 3: multiple spanning trees mstp configuratio...

Page 182

1-17 to do... Use the command... Remarks display the mst region configurations that are not activated yet check region-configuration optional activate mst region configuration manually active region-configuration required display the currently activated configuration information of the mst region di...

Page 185

1-20 to do... Use the command... Remarks configure the maximum hops of the mst region stp max-hops hops required 20 by default configuring the network diameter of a switched network any two terminal devices in a switched network are interconnected through a specific path composed of a series of devi...

Page 187

1-22 z 2 × (forward delay – 1 second) ƒ max age z max age ƒ 2 × (hello time + 1 second) we recommend that you specify the network diameter with the stp bridge-diameter command and let mstp automatically calculate optimal settings of these three timers based on the network diameter. Configuring the t...

Page 189

1-24 the device can automatically calculate the default path cost; alternatively, you can also configure the path cost for ports. Make the following configurations on the leaf nodes only. Specifying a standard that the device uses when calculating the default path cost you can specify a standard for...

Page 191

1-26 configuring port priority the priority of a port is an important factor in determining whether the port can be elected as the root port of a device. If all other conditions are the same, the port with the highest priority will be elected as the root port. On an mstp-enabled device, a port can h...

Page 194

1-29 to do... Use the command... Remarks enter layer 2 ethernet port view, or layer 2 aggregate port view interface interface-type interface-number enter port view or port group view enter port group view port-group manual port-group-name required use either command. Enable the mstp feature for the ...

Page 196

1-31 z gigabitethernet 1/0/1 on device a and gigabitethernet 1/0/1 on device b allow the traffic of vlan 1 to pass through. Gigabitethernet 1/0/2 on device a and gigabitethernet 1/0/2 on device b allow the traffic of vlan 2 to pass through. Z device a is the root bridge, and both device a and device...

Page 198

1-33 z enable digest snooping on device a’s and device b’s ports that connect device c, so that the three devices can communicate with one another. Figure 1-8 digest snooping configuration ge1/0/2 ge1/0/1 ge1/0/2 ge1/0/2 ge1/0/1 ge1/0/1 device a device b third-party device root port designated port ...

Page 200

1-35 to do... Use the command... Remarks enter system view system-view — enter layer 2 ethernet port view, or layer 2 aggregate port view interface interface-type interface-number enter port view or port group view enter port group view port-group manual port-group-name required use either command. ...

Page 202

1-37 to do... Use the command... Remarks enter layer 2 ethernet port view, or layer 2 aggregate port view interface interface-type interface-number enter port view or port group view enter port group view port-group manual port-group-name required use either command. Enable the root guard function f...

Page 204: Mstp Configuration Example

1-39 to do... Use the command... Remarks view the statistics of tc/tcn bpdus sent and received by all ports in the specified msti or all mstis display stp [ instance instance-id ] tc available in any view view the status information and statistics information of mstp display stp [ instance instance-...

Page 206

1-41 system-view [devicec] stp region-configuration [devicec-mst-region] region-name example [devicec-mst-region] instance 1 vlan 10 [devicec-mst-region] instance 2 vlan 20 [devicec-mst-region] revision-level 0 # activate mst region configuration. [devicec-mst-region] active region-configuration [de...

Page 208

1-43 figure 1-13 mstis corresponding to different vlans a b b c the msti corresponding to vlan 10 a d root bridge selected link blocked link the msti corresponding to vlan 30 a b c d the msti corresponding to vlan 40 c d the msti corresponding to vlan 20

Page 210: Ip Addressing Configuration

1-1 1 ip addressing configuration when assigning ip addresses to interfaces on your device, go to these sections for information you are interested in: z ip addressing overview z configuring ip addresses z displaying and maintaining ip addressing ip addressing overview this section covers these topi...

Page 212: Configuring Ip Addresses

1-3 in the absence of subnetting, some special addresses such as the addresses with the net id of all zeros and the addresses with the host id of all ones, are not assignable to hosts. The same is true for subnetting. When designing your network, you should note that subnetting is somewhat a tradeof...

Page 214: Table of Contents

I table of contents 1 ip performance optimization configuration···························································································1-1 ip performance optimization overview ··································································································1-1 ena...

Page 216: Configuring Tcp Attributes

1-2 enabling forwarding of directed broadcasts to a directly connected network if a device is enabled to receive directed broadcasts, the device will determine whether to forward them according to the configuration on the outgoing interface. Follow these steps to enable the device to forward directe...

Page 218

1-4 z with the protection against naptha attack enabled, the device will periodically check and record the number of tcp connections in each state. Z with the protection against naptha attack enabled, if the device detects that the number of tcp connections in a state exceeds the maximum number, the...

Page 220

1-6 to do… use the command… remarks enter system view system-view — enable sending of icmp timeout packets ip ttl-expires enable required disabled by default. Enable sending of icmp destination unreachable packets ip unreachables enable required disabled by default. The device stops sending “ttl tim...

Page 222: Arp Configuration

1-1 1 arp configuration when configuring arp, go to these sections for information you are interested in: z arp overview z configuring arp z configuring gratuitous arp z displaying and maintaining arp arp overview arp function the address resolution protocol (arp) is used to resolve an ip address in...

Page 224: Configuring Arp

1-3 arp table after obtaining the mac address for the destination host, the device puts the ip-to-mac mapping into its own arp table. This mapping is used for forwarding packets with the same destination in future. An arp table contains arp entries, which fall into one of two categories: dynamic or ...

Page 226

1-5 enabling the arp entry check the arp entry check function disables the device from learning multicast mac addresses. With the arp entry check enabled, the device cannot learn any arp entry with a multicast mac address, and configuring such a static arp entry is not allowed; otherwise, the system...

Page 229

2-1 2 arp attack defense configuration although arp is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, arp attacks and viruses are threatening lan security. The device can provide multiple features to detect and prevent such attacks. Configuring ...

Page 231: Configuring Arp Detection

2-3 displaying and maintaining source mac address based arp attack detection to do… use the command… remarks display attacking entries detected display arp anti-attack source-mac [ interface interface-type interface-number] available in any view a protected mac address is no longer excluded from det...

Page 233

2-5 mac addresses, port index, and vlan id) are consistent, the arp packet passes the check; if not, the arp packet cannot pass the check. Z upon receiving an arp packet from an arp trusted port, the device does not check the arp packet. Z if arp detection is not enabled for the vlan, the arp packet...

Page 235

2-7 before performing the following configuration, make sure you have configured the arp detection enable command. Follow these steps to configure arp detection based on specified objects: to do… use the command… remarks enter system view system-view — specify objects for arp detection arp detection...

Page 237

2-9 after the preceding configurations are completed, when arp packets arrive at interfaces gigabitethernet 1/0/1 and gigabitethernet 1/0/2, their mac and ip addresses are checked, and then the packets are checked against the ip-to-mac binding and finally dhcp snooping entries. Arp detection configu...

Page 239: Table of Contents

I table of contents 1 dhcp relay agent configuration ············································································································1-1 introduction to dhcp relay agent ······································································································...

Page 241

1-1 this document is organized as follows: z dhcp relay agent configuration z dhcp client configuration z dhcp snooping configuration z bootp client configuration 1 dhcp relay agent configuration when configuring the dhcp relay agent, go to these sections for information you are interested in: z int...

Page 243

1-3 if a client’s requesting message has… handling strategy padding format the dhcp relay agent will… — normal forward the message after adding the option 82 padded in normal format. — verbose forward the message after adding the option 82 padded in verbose format. No option 82 — user-defined forwar...

Page 245

1-5 configuring the dhcp relay agent security functions creating static bindings and enabling ip address check the dhcp relay agent can dynamically record clients’ ip-to-mac bindings after clients get ip addresses. It also supports static bindings, that is, you can manually configure ip-to-mac bindi...

Page 247

1-7 follow these steps to configure the dhcp relay agent in system view to send a dhcp-release request: to do… use the command… remarks enter system view system-view — configure the dhcp relay agent to send a dhcp-release request dhcp relay release ip client-ip required configuring the dhcp relay ag...

Page 249

1-9 dhcp relay agent configuration examples dhcp relay agent configuration example network requirements as shown in figure 1-3 , dhcp clients reside on network 10.10.1.0/24. The ip address of the dhcp server is 10.1.1.1/24. Because the dhcp clients reside on a different network with the dhcp server,...

Page 251

1-11 troubleshooting dhcp relay agent configuration symptom dhcp clients cannot obtain any configuration parameters via the dhcp relay agent. Analysis some problems may occur with the dhcp relay agent or server configuration. Enable debugging and execute the display command on the dhcp relay agent t...

Page 253

2-2 z an interface can be configured to acquire an ip address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. Z after the dhcp client is enabled on an interface, no secondary ip address can be configured for the interface. Z if the i...

Page 255

3-2 recording ip-to-mac mappings of dhcp clients dhcp snooping reads dhcp-request messages and dhcp-ack messages from trusted ports to record dhcp snooping entries, including mac addresses of clients, ip addresses obtained by the clients, ports that connect to dhcp clients, and vlans to which the po...

Page 257

3-4 if a client’s requesting message has… handling strategy padding format the dhcp snooping device will… normal forward the message after replacing the original option 82 with the option 82 padded in normal format. Verbose forward the message after replacing the original option 82 with the option 8...

Page 261

3-8 z on gigabitethernet 1/0/2, configure the padding content for the circuit id sub-option as company001 and for the remote id sub-option as device001. Z on gigabitethernet 1/0/3, configure the padding format as verbose, access node identifier as sysname, and code type as ascii for option 82. Z swi...

Page 263: Through Bootp

4-2 obtaining an ip address dynamically a dhcp server can take the place of the bootp server in the following dynamic ip address acquisition. A bootp client dynamically obtains an ip address from a bootp server in the following steps: 1) the bootp client broadcasts a bootp request, which contains it...

Page 265: Table of Contents

I table of contents 1 ftp configuration ·····································································································································1-1 ftp overview ··············································································································...

Page 267: Configuring The Ftp Client

1-2 table 1-1 configuration when the device serves as the ftp client device configuration remarks device (ftp client) use the ftp command to establish the connection to the remote ftp server if the remote ftp server supports anonymous ftp, the device can log in to it directly; if not, the device mus...

Page 270

1-5 download a file from the ftp server under the authorized directory of the ftp server by following these steps: 1) use the dir or ls command to display the directory and the location of the file on the ftp server. 2) delete useless files for effective use of the storage space. 3) set the file tra...

Page 272

1-7 z device downloads a startup file from pc for device upgrade, and uploads the configuration file to pc for backup. Z on pc, an ftp user account has been created for the ftp client, with the username being abc and the password being pwd. Figure 1-2 network diagram for ftping a startup file from a...

Page 274

1-9 to do… use the command… remarks manually release the ftp connection established with the specified username free ftp user username optional available in user view configuring authentication and authorization on the ftp server to allow an ftp user to access certain directories on the ftp server, ...

Page 276

1-11 0 drw- - dec 07 2005 10:00:57 filename 1 drw- - jan 02 2006 14:27:51 logfile 2 -rw- 1216 jan 02 2006 14:28:59 config.Cfg 3 -rw- 1216 jan 02 2006 16:27:26 back.Cfg 97920 kb total (2511 kb free) delete /unreserved flash:/back.Cfg 2) configure the pc (ftp client) # log in to the ftp server through...

Page 278: Tftp Configuration

2-1 2 tftp configuration when configuring tftp, go to these sections for information you are interested in: z tftp overview z configuring the tftp client z displaying and maintaining the tftp client z tftp client configuration example tftp overview introduction to tftp the trivial file transfer prot...

Page 280

2-3 z if you use the tftp client source command and the tftp command to specify a source address respectively, the source address configured with the tftp command is used to communicate with a tftp server. The source address specified with the tftp client source command is valid for all tftp connect...

Page 282

2-5 the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to device management commands..

Page 284: Ip Routing and Routing Table

1-1 1 ip routing basics configuration go to these sections for information you are interested in: z ip routing and routing table z displaying and maintaining a routing table the term “router” in this document refers to a router in a generic sense or a layer 3 switch. Ip routing and routing table rou...

Page 287: Table of Contents

I table of contents 1 static routing configuration····················································································································1-1 introduction ·····················································································································...

Page 289: Configuring A Static Route

1-2 application environment of static routing before configuring a static route, you need to know the following concepts: 1) destination address and mask in the ip route-static command, an ipv4 address is in dotted decimal format and a mask can be either in dotted decimal format or in the form of ma...

Page 291

1-4 figure 1-1 network diagram for static route configuration configuration procedure 1) configuring ip addresses for interfaces (omitted) 2) configuring static routes # configure a default route on switch a. System-view [switcha] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # configure two static routes...

Page 293: Table of Contents

I table of contents 1 multicast overview ····································································································································1-1 introduction to multicast ·································································································...

Page 295: Multicast Overview

1-1 1 multicast overview this manual chiefly focuses on the ip multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to ip multicast. Introduction to multicast as a technique coexisting with unicast and broadcast, the multicast technique ef...

Page 297

1-3 figure 1-2 broadcast transmission assume that only host b, host d, and host e need the information. If the information is broadcast to the subnet, host a and host c also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet. Therefore, broad...

Page 299

1-5 manage multicast group memberships on stub subnets with attached group members. A multicast router itself can be a multicast group member. For a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of tv programs, as shown in table 1-1 . Ta...

Page 301

1-7 multicast addresses to allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast ip addresses must be provided. In addition, a technique must be available to map multicast ip addresses to link-layer multicast mac addresses. Ip...

Page 303

1-9 multicast protocols z generally, we refer to ip multicast working at the network layer as layer 3 multicast and the corresponding multicast protocols as layer 3 multicast protocols, which include igmp, pim, msdp, and mbgp; we refer to ip multicast working at the data link layer as layer 2 multic...

Page 305

1-11 packets to receivers located in different parts of the network, multicast routers on the forwarding path usually need to forward multicast packets received on one incoming interface to multiple outgoing interfaces. Compared with a unicast model, a multicast model is more complex in the followin...

Page 307

2-2 z reducing layer 2 broadcast packets, thus saving network bandwidth. Z enhancing the security of multicast traffic. Z facilitating the implementation of per-host accounting. Basic concepts in igmp snooping igmp snooping related ports as shown in figure 2-2 , router a connects to the multicast so...

Page 309

2-4 when receiving a membership report a host sends an igmp report to the igmp querier in the following circumstances: z upon receiving an igmp query, a multicast group member host responds with an igmp report. Z when intended to join a multicast group, a host sends an igmp report to the igmp querie...

Page 311

2-6 table 2-2 describes how an igmp snooping proxy processes igmp messages. Table 2-2 igmp message processing on an igmp snooping proxy igmp message actions general query when receiving an igmp general query, the proxy forwards it to all ports but the receiving port. In addition, the proxy generates...

Page 313

2-8 to do... Use the command... Remarks enter system view system-view — enable igmp snooping globally and enter igmp-snooping view igmp-snooping required disabled by default return to system view quit — enter vlan view vlan vlan-id — enable igmp snooping in the vlan igmp-snooping enable required dis...

Page 315

2-10 configuring static ports if all the hosts attached to a port are interested in the multicast data addressed to a particular multicast group or the multicast data that a particular multicast source sends to a particular group, you can configure static (*, g) or (s, g) joining on that port, namel...

Page 317

2-12 configuring fast leave processing on a port or a group of ports follow these steps to configure fast leave processing on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-typeinterface-number enter ethernet interface/layer 2 aggr...

Page 319

2-14 to do... Use the command... Remarks configure the maximum response time to igmp general queries igmp-snooping max-response-time interval optional 10 seconds by default configure the igmp last-member query interval igmp-snooping last-member-query-interval interval optional 1 second by default in...

Page 321

2-16 configuring a multicast group filter on an igmp snooping–enabled switch, the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different users. In an actual application, when a user requests a multicast program, the user’s h...

Page 323

2-18 to do... Use the command... Remarks port group view port-group manual port-group-name use either approach configure the maximum number of multicast groups allowed on the port(s) igmp-snooping group-limit limit [ vlan vlan-list ] optional by default, the maximum number of multicast groups allowe...

Page 325

2-20 displaying and maintaining igmp snooping to do... Use the command... Remarks display igmp snooping multicast group information (on a centralized device) display igmp-snooping group [ vlan vlan-id ] [ verbose ] available in any view display the statistics information of igmp messages learned by ...

Page 327

2-22 # configure a multicast group filter so that the hosts in vlan 100 can join only the multicast group 224.1.1.1. [switcha] acl number 2001 [switcha-acl-basic-2001] rule permit source 224.1.1.1 0 [switcha-acl-basic-2001] quit [switcha] igmp-snooping [switcha-igmp-snooping] group-policy 2001 vlan ...

Page 329

2-24 configure an ip address and subnet mask for each interface as per figure 2-5 . The detailed configuration steps are omitted. 2) configure router a # enable ip multicast routing, enable pim-dm on each interface, and enable igmp on gigabitethernet 1/0/1. System-view [routera] multicast routing-en...

Page 331

2-26 total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Port flags: d-dynamic port, s-static port, c-copy port subvlan flags: r-real vlan, c-copy vlan vlan(id):100. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 1 port. Ge1/0/2 (d) ( 00:01:23 ) ip...

Page 333

2-28 [switchb-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # enable igmp snooping and the function of dropping unknown multicast traffic in vlan 100. [switchb-vlan100] igmp-snooping enable [switchb-vlan100] igmp-snooping drop-unknown [switchb-vlan100] quit configurations on switch c ...

Page 335

2-30 4) verify the configuration after the configuration is completed, host a and host b send igmp join messages for group 224.1.1.1. Receiving the messages, switch a sends a join message for the group out port gigabitethernet 1/0/1 (a router port) to router a. Use the display igmp-snooping group co...

Page 337

2-32 z the function of dropping unknown multicast data is not enabled, so unknown multicast data is flooded. Solution 1) use the display acl command to check the configured acl rule. Make sure that the acl rule conforms to the multicast group policy to be implemented. 2) use the display this command...

Page 339: Configuring Multicast Vlan

2-2 figure 3-2 port-based multicast vlan after the configuration, upon receiving an igmp message on a user port, switch a tags the message with the multicast vlan id and relays it to the igmp querier, so that igmp snooping can uniformly manage the router ports and member ports in the multicast vlan....

Page 341

2-4 for details about the port link-type, port hybrid pvid vlan, and port hybrid vlan commands, refer to vlan commands. Configuring multicast vlan ports in this approach, you need to configure a vlan as a multicast vlan and then assign user ports to this multicast vlan by either adding the user port...

Page 343

2-6 network diagram figure 3-3 network diagram for port-based multicast vlan configuration configuration procedure 1) configure ip addresses configure the ip address and subnet mask for each interface as per figure 3-3. The detailed configuration steps are omitted here. 2) configure router a # enabl...

Page 345

2-8 total 1 ip source(s). Total 1 mac group(s). Router port(s):total 1 port. Ge1/0/1 (d) ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): host port(s):total 3 port. Ge1/0/2 (d) ge1/0/3 (d) ge1/0/4 (d) mac group(s): mac group address:0100-...

Page 347

Ii configure wrr queuing·················································································································5-5 configuring sp+wrr queuing ·······································································································5-6 6 traffic filtering confi...

Page 349: Qos Techniques Overview

1-2 small-sized or edge networks, but not large-sized networks, for example, the core layer of the internet, where billions of flows are present. Diffserv model the differentiated service (diffserv) model is a multiple-service model that can satisfy diverse qos requirements. Unlike intserv, diffserv...

Page 352

2-3 form description source-mac mac-address specifies to match the packets with a specified source mac address. To successfully execute the traffic behavior associated with a traffic class that uses the and operator, define only one if-match clause for any of the following match criteria and input o...

Page 354

2-5 [sysname-gigabitethernet1/0/1] qos apply policy test_policy inbound displaying and maintaining qos policies to do… use the command… remarks display traffic class information display traffic classifier user-defined [ tcl-name ] available in any view display traffic behavior configuration informat...

Page 356

3-2 priority mapping tables priority mapping is implemented with priority mapping tables. The device provides various types of priority mapping tables, or rather, priority mappings. By looking up a priority mapping table, the device decides which priority value is to assign to a packet for subsequen...

Page 360

3-6 figure 3-2 network diagram for priority mapping table and priority marking configuration configuration procedure 1) configure trusting port priority # set the port priority of gigabitethernet 1/0/1 to 3. System-view [device] interface gigabitethernet 1/0/1 [device-gigabitethernet1/0/1] qos prior...

Page 362

4-2 to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either command settings in interface view take effect on the current ...

Page 364

5-2 queue scheduling processes packets by their priorities, preferentially forwarding high-priority packets. In the following section, strict priority (sp) queuing, weighted fair queuing (wfq), and sp+wrr queuing are introduced. Sp queuing sp queuing is specially designed for mission-critical applic...

Page 366

5-4 sp+wrr queuing sp+wrr queuing uses one sp queuing group and two wrr queuing groups. The switch uses wrr to schedule queues in each wrr queuing group according to their weights, and then uses sp queuing to schedule the dequeued packets together with the packets in the sp queuing group. For exampl...

Page 368

5-6 z assign queue 0 and queue 1 to the wrr group 1, with the weight of 10 and 20 respectively. Z assign queue 2 and queue 3 to the wrr group 2, with the weight of 30 and 50 respectively. 2) configuration procedure # enter system view. System-view # configure wrr queuing on gigabitethernet 1/0/1. [s...

Page 370: Traffic Filtering Overview

6-1 6 traffic filtering configuration when configuring traffic filtering, go to these sections for information you are interested in: z traffic filtering overview z configuring traffic filtering z traffic filtering configuration example traffic filtering overview you can filter in or filter out a cl...

Page 372

6-3 [devicea-behavior-behavior_1] filter deny [devicea-behavior-behavior_1] quit # create a policy named policy, and associate class classifier_1 with behavior behavior_1 in the policy. [devicea] qos policy policy [devicea-qospolicy-policy] classifier classifier_1 behavior behavior_1 [devicea-qospol...

Page 374: Appendix

8-1 8 appendix this chapter includes these sections: z appendix a default priority mapping tables z appendix b introduction to packet precedences appendix a default priority mapping tables for the default dot1p-dot1p and dscp-dscp priority mapping tables, an input value yields a target value equal t...

Page 376

8-3 dscp value (decimal) dscp value (binary) description 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 ...

Page 378: Table of Contents

I table of contents 1 802.1x configuration·································································································································1-1 802.1x overview··············································································································...

Page 380

1-2 z device, residing at the other end of the lan segment, is the entity that authenticates connected clients. Device is usually an 802.1x-enabled network device and provides access ports for clients to the lan. Z server is the entity that provides authentication services to device. Server, normall...

Page 382

1-4 figure 1-3 eapol packet format z pae ethernet type: protocol type. It takes the value 0x888e. Z protocol version: version of the eapol protocol supported by the eapol packet sender. Z type: type of the eapol packet. Table 1-1 lists the types that the device currently supports. Table 1-1 types of...

Page 384

1-6 unsolicited triggering of a client a client initiates authentication by sending an eapol-start packet to the device. The destination address of the packet is 01-80-c2-00-00-03, the multicast address specified by the ieee 802.1x protocol. Some devices in the network may not support multicast pack...

Page 386

1-8 8) after receiving the eap-response/md5 challenge packet, the device relays the packet in a radius access-request packet to the authentication server. 9) when receiving the radius access-request packet, the radius server compares the password information encapsulated in the packet with that gene...

Page 388

1-10 z username request timeout timer (tx-period): this timer is triggered by the device in two cases. The first case is when the client requests for authentication. The device starts this timer when it sends an eap-request/identity packet to a client. If it receives no response before this timer ex...

Page 390

1-12 similar to a guest vlan, an auth-fail vlan can be a port-based auth-fail vlan (pafv) or a mac-based auth-fail vlan (mafv), depending on the port access control method. Currently, on the switch, an auth-fail vlan can be only a port-based auth-fail vlan (pafv). Pafv refers to the auth-fail vlan c...

Page 394: Enabling The Quiet Timer

1-16 z you need to disable proxy detection before disabling the online user handshake function. Z some 802.1x clients do not support exchanging handshake packets with the device. In this case, you need to disable the online user handshake function on the device; otherwise the device will tear down t...

Page 396

1-18 z to configure a port-based guest vlan, make sure that the port access control method is portbased, and the 802.1x multicast trigger function is enabled. Configuration procedure follow these steps to configure a guest vlan: to do… use the command… remarks enter system view system-view — in syst...

Page 398

1-20 z set the username of the 802.1x user as localuser and the password as localpass and specify to use clear text mode. Enable the idle cut function to log the user off whenever the user remains idle for over 20 minutes. Figure 1-10 network diagram for 802.1x configuration configuration procedure ...

Page 400

1-22 guest vlan and vlan assignment configuration example network requirements as shown in figure 1-11 : z a host is connected to port gigabitethernet 1/0/2 of the device and must pass 802.1x authentication to access the internet. Gigabitethernet 1/0/2 is in vlan 1. Z the authentication server runs ...

Page 402

1-24 [switch-radius-2000] primary authentication 10.11.1.1 1812 [switch-radius-2000] primary accounting 10.11.1.1 1813 [switch-radius-2000] key authentication abc [switch-radius-2000] key accounting abc [switch-radius-2000] user-name-format without-domain [switch-radius-2000] quit # configure authen...

Page 404

1-26 after logging in successfully, a user can use the ping command to verify whether the acl 3000 assigned by the radius server functions. C:\>ping 10.0.0.1 pinging 10.0.0.1 with 32 bytes of data: request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0...

Page 406

Ii troubleshooting aaa ····························································································································1-38 troubleshooting radius ··············································································································1-38.

Page 408: Introduction to Radius

1-2 z authorization: grants different users different rights. For example, a user logging into the server can be granted the permission to access and print the files in the server. Z accounting: records all network service usage information of users, including the service type, start and end time, a...

Page 410

1-4 1) the host initiates a connection request carrying the username and password to the radius client. 2) having received the username and password, the radius client sends an authentication request (access-request) to the radius server, with the user password encrypted by using the message-digest ...

Page 412

1-6 no. Attribute no. Attribute 6 service-type 50 acct-multi-session-id 7 framed-protocol 51 acct-link-count 8 framed-ip-address 52 acct-input-gigawords 9 framed-ip-netmask 53 acct-output-gigawords 10 framed-routing 54 (unassigned) 11 filter-id 55 event-timestamp 12 framed-mtu 56-59 (unassigned) 13 ...

Page 414: Aaa Configuration Task List

1-8 aaa configuration task list the basic procedure to configure aaa is as follows: 1) configure the required aaa schemes. Z local authentication: configure local users and related attributes, including usernames and passwords of the users to be authenticated. Z remote authentication: configure the ...

Page 416

1-10 for the nas, each user belongs to an isp domain. Up to 16 isp domains can be configured on a nas. If a user does not provide the isp domain name, the system considers that the user belongs to the default isp domain. Follow these steps to create an isp domain: to do… use the command… remarks ent...

Page 419

1-13 1) determine the access mode or service type to be configured. With aaa, you can configure an authorization scheme specifically for each access mode and service type, limiting the authorization protocols that can be used for access. 2) determine whether to configure an authorization method for ...

Page 421

1-15 z with the accounting optional command configured, a user that would be otherwise disconnected can still use the network resources even when no accounting server is available or communication with the current accounting server fails. Z the local accounting is not used for accounting implementat...

Page 424: Configuring Radius

1-18 access device can obtain the nas id by the access vlan of the user and then send the nas id to the radius server through the nas-identifier attribute. Follow these steps to configure a nas id-vlan binding: to do… use the command… remarks enter system view system-view — create a nas id profile a...

Page 426

1-20 z it is recommended to specify only the primary radius authentication/authorization server if backup is not required. Z if both the primary and secondary authentication/authorization servers are specified, the secondary one is used when the primary one is unreachable. Z in practice, you may spe...

Page 428

1-22 to retransmit the radius request. If the number of transmission attempts exceeds the specified limit but it still receives no response, it considers that the authentication has failed. Follow these steps to set the upper limit of radius request retransmission attempts: to do… use the command… r...

Page 431

1-25 follow these steps to specify the source ip address for radius packets to be sent: to do… use the command… remarks enter system view system-view — radius nas-ip ip-address specify the source ip address for radius packets to be sent radius scheme radius-scheme-name nas-ip ip-address required use...

Page 433

1-27 to do… use the command… remarks set the retransmission interval of accounting-on packets accounting-on enable interval seconds optional 3 seconds by default the accounting-on feature needs to cooperate with the h3c imc network management system. Enabling the listening port of the radius client ...

Page 435

1-29 [switch-radius-rd] quit # create a local user named hello. [switch] local-user hello [switch-luser-hello] service-type telnet [switch-luser-hello] password simple hello [switch-luser-hello] authorization-attribute level 3 [switch-luser-hello] quit [switch] domain default enable bbb # configure ...

Page 437

1-31 figure 1-9 add an account for device management 2) configure the switch # configure the ip address of vlan interface 2, through which the ssh user accesses the switch. System-view [switch] interface vlan-interface 2 [switch-vlan-interface2] ip address 192.168.1.70 255.255.255.0 [switch-vlan-int...

Page 439

1-33 z specify that a username sent to the radius server carries the domain name. The username of the user is dot1x@bbb. Z after the host passes authentication, the authentication server assigns the host to vlan 4. Z the host registers a monthly service charging 120 dollars for up to 120 hours per m...

Page 441

1-35 z add a service named dot1x auth and set the service suffix to bbb, which indicates the authentication domain for the 802.1x user. With the service suffix configured, you must configure usernames to be sent to the radius service to carry the domain name. Z specify useracct as the charging plan....

Page 443

1-37 # enable 802.1x globally. [switch] dot1x # enable 802.1x for port gigabitethernet1/0/1. [switch] interface gigabitethernet 1/0/1 [switch-gigabitethernet1/0/1] dot1x [switch-gigabitethernet1/0/1] quit # configure the access control method. (optional because the default setting meets the requirem...

Page 445

1-39 2) configuration of the authentication/authorization server and the accounting server are not correct on the nas. For example, one server is configured on the nas to provide all the services of authentication/authorization and accounting, but in fact the services are provided by different serve...

Page 447: Pki Configuration

1-1 1 pki configuration this chapter includes these sections: z introduction to pki z pki configuration task list z displaying and maintaining pki z pki configuration examples z troubleshooting pki introduction to pki this section covers these topics: z pki overview z pki terms z architecture of pki...

Page 449

1-3 ca a ca is a trusted authority responsible for issuing and managing digital certificates. A ca issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing crls. Ra a registration authority (ra) is an extended part of a ca or an independen...

Page 451

1-5 the configuration of an entity dn must comply with the ca certificate issue policy. You need to determine, for example, which entity dn parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity dn: to do… use the co...

Page 455

1-9 z if a pki domain already has a local certificate, creating an rsa key pair will result in inconsistency between the key pair and the certificate. To generate a new rsa key pair, delete the local certificate and then issue the public-key local create command. For information about the public-key...

Page 457: Deleting A Certificate

1-11 to do… use the command… remarks enter system view system-view — enter pki domain view pki domain domain-name — disable crl checking crl check disable required enabled by default return to system view quit — retrieve the ca certificate refer to retrieving a certificate manually required verify t...

Page 461

1-15 it will take a few minutes. Press ctrl+c to abort. Input the bits in the modulus [default = 1024]: generating keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ z apply...

Page 463

1-17 network requirements configure pki entity switch to request a local certificate from the ca server. Figure 1-3 request a certificate from a ca running windows 2003 server configuration procedure 1) configure the ca server z install the certificate server suites from the start menu, select contr...

Page 465

1-19 # use the following command to view information about the local certificate acquired. Display pki certificate local domain torsa certificate: data: version: 3 (0x2) serial number: 48fa0fd9 00000000 000c signature algorithm: sha1withrsaencryption issuer: cn=myca validity not before: nov 21 12:32...

Page 467: Troubleshooting Pki

1-21 [switch-pki-cert-attribute-group-mygroup1] quit # create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the fqdn of the alternative subject name does not include the string of apple, and the second rule defines that the dn of the certificate issuer...

Page 469: Table of Contents

I table of contents 1 ssl configuration ·····································································································································1-1 ssl overview ··············································································································...

Page 471

1-2 figure 1-1 message integrity verification by a mac algorithm z for details about symmetric key algorithms, asymmetric key algorithm rsa and digital signature, see public key configuration. Z for details about pki, certificate, and ca, see pki configuration. Ssl protocol stack as shown in figure ...

Page 473

1-4 to do... Use the command... Remarks number of cached sessions, z 3600 seconds for the caching timeout time. Enable certificate-based ssl client authentication client-verify enable optional not enabled by default z if you enable client authentication here, you must request a local certificate for...

Page 475

1-6 [device-ssl-server-policy-myssl]quit # configure https service to use ssl server policy myssl. [device] ip https ssl-server-policy myssl # enable https service. [device] ip https enable # create a local user named usera, and set the password to 123 and service type to telnet. [device] local-user...

Page 477

1-8 solution 1) you can issue the debugging ssl command and view the debugging information to locate the problem: z if the ssl client is configured to authenticate the ssl server but the ssl server has no certificate, request one for it. Z if the server’s certificate cannot be trusted, install on th...

Page 479: Ssh2.0 Configuration

1-1 1 ssh2.0 configuration this chapter includes these sections: z ssh2.0 overview z configuring the device as an ssh server z configuring the device as an ssh client z displaying and maintaining ssh z ssh server configuration examples z ssh client configuration examples ssh2.0 overview introduction...

Page 481

1-3 before the negotiation, the server must have already generated a dsa or rsa key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about dsa and rsa key pairs, refer to public key configuration. Authent...

Page 484

1-6 to do… use the command… remarks enter system view system-view — enter user interface view of one or more user interfaces user-interface vty number [ ending-number ] — set the login authentication mode to scheme authentication-mode scheme required by default, the authentication mode is password. ...

Page 487

1-9 setting the ssh management parameters ssh management includes: z enabling the ssh server to be compatible with ssh1 client z setting the server key pair update interval, applicable to users using ssh1 client z setting the ssh user authentication timeout period z setting the maximum number of ssh...

Page 489

1-11 to do... Use the command… remarks configure the server host public key refer to configuring a client public key required the method for configuring the server host public key on the client is similar to that for configuring client public key on the server. Specify the host public key name of th...

Page 491

1-13 [switch-luser-client001] password simple aabbcc [switch-luser-client001] service-type ssh [switch-luser-client001] authorization-attribute level 3 [switch-luser-client001] quit # specify the service type for user client001 as stelnet, and the authentication mode as password. This step is option...

Page 493

1-15 before performing the following tasks, you must use the client software to generate an rsa key pair on the client, save the public key in a file named key.Pub, and then upload the file to the ssh server through ftp or tftp. For details, refer to configure the ssh client below. # import the clie...

Page 495

1-17 figure 1-7 generate a client key pair 4) after generating a key pair on a client, you need to transmit the saved public key file to the server through ftp or tftp and have the configuration on the server done before continuing configuration of the client. # specify the private key file and esta...

Page 497

1-19 [switchb] public-key local create dsa [switchb] ssh server enable # create an ip address for vlan interface 1, which the ssh client will use as the destination for ssh connection. [switchb] interface vlan-interface 1 [switchb-vlan-interface1] ip address 10.165.87.136 255.255.255.0 [switchb-vlan...

Page 499

1-21 when switch acts as client for publickey authentication network requirements z as shown in figure 1-11 , switch a (the ssh client) needs to log into switch b (the ssh server) through the ssh protocol. Z publickey authentication is used, and the public key algorithm is dsa. Figure 1-11 switch ac...

Page 501: Sftp Service

2-1 2 sftp service when configuring sftp, go to these sections for information you are interested in: z sftp overview z configuring an sftp server z configuring an sftp client z sftp client configuration example z sftp server configuration example sftp overview the secure file transfer protocol (sft...

Page 504

2-4 working with sftp files sftp file operations include: z changing the name of a file z downloading a file z uploading a file z displaying a list of the files z deleting a file follow these steps to work with sftp files: to do… use the command… remarks enter sftp client view sftp server [ port-num...

Page 507

2-7 # configure an ip address for vlan interface 1. System-view [switcha] interface vlan-interface 1 [switcha-vlan-interface1] ip address 192.168.0.2 255.255.255.0 [switcha-vlan-interface1] quit # generate rsa key pairs. [switcha] public-key local create rsa # export the host public key to file pubk...

Page 509

2-9 sftp-client> quit bye connection closed. Sftp server configuration example network requirements as shown in figure 2-2 , an ssh connection is established between the host and the switch. The host, an sftp client, logs into the switch for file management and file transfer. An ssh user uses passwo...

Page 511: Table of Contents

I table of contents 1 public key configuration··························································································································1-1 asymmetric key algorithm overview·······························································································...

Page 513

1-2 asymmetric key algorithm applications asymmetric key algorithms can be used for encryption and digital signature: z encryption: the sender uses the public key of the intended receiver to encrypt the information to be sent. Only the intended receiver, the holder of the paired private key, can dec...

Page 515

1-4 z if you choose to input the public key manually, be sure to input it in the correct format. The key data displayed by the display public-key local public command meets the format requirements. The public key displayed in other methods may not meet the format requirements. A format-incompliant k...

Page 518

1-7 4ad597d0fb3aa9f7202c507072b19c3c50a0d7ad3994e14abc62db125035ea326470034dc078b2baa3bc3bca 80aab5ee01986bd1ef64b42f17ccae4a77f1ef999b2bf9c4a10203010001 importing the public key of a peer from a public key file network requirements as shown in figure 1-3 , to prevent illegal access, device b authen...

Page 520

1-9 [deviceb] public-key peer devicea import sshkey devicea.Pub # display the host public key of device a saved on device b. [deviceb] display public-key peer name devicea ===================================== key name : devicea key type : rsa key module: 1024 ===================================== k...

Page 522: Habp Configuration

1-1 1 habp configuration when configuring habp, go to these sections for the information you are interested in: z introduction to habp z configuring habp z displaying and maintaining habp z habp configuration example introduction to habp the hw authentication bypass protocol (habp) is used to enable...

Page 524: Habp Configuration Example

1-3 displaying and maintaining habp to do… use the command… remarks display habp configuration information display habp available in any view display habp mac address table entries display habp table available in any view display habp packet statistics display habp traffic available in any view habp...

Page 526: Table of Contents

I table of contents 1 acl configuration·····································································································································1-1 acl overview ···············································································································...

Page 528

1-2 z software-based application: an acl is referenced by a piece of upper layer software. For example, an acl can be referenced to configure login user control behavior, thus controlling telnet, snmp and web users. Note that when an acl is reference by the upper layer software, actions to be taken ...

Page 530: Acl Configuration Task List

1-4 for example, if the numbering step is 5 (the default), and there are five acl rules numbered 0, 5, 9, 10, and 12, the newly defined rule will be numbered 15. If the acl does not contain any rule, the first rule will be numbered 0. Whenever the step changes, the rules are renumbered, starting fro...

Page 534

1-8 z when the acl match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the ids of the rules still remain the same. Z you can modify the match order of an acl with the acl number acl-number [ name acl-name ] match-order { auto ...

Page 536

1-10 filtering ethernet frames follow these steps to apply an ethernet frame header acl to an interface to filter ethernet frames: to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number enter interface view enter vlan i...

Page 538: Table of Contents

I table of contents 1 device management ··································································································································1-1 device management overview ···································································································...

Page 541

1-3 z device reboot may result in the interruption of the ongoing services. Use these commands with caution. Z before device reboot, use the save command to save the current configurations. For details about the save command, refer to file system configuration. Z before device reboot, use the comman...

Page 543

1-5 1) copy the boot rom program to the root directory of the device's storage medium using ftp or tftp. 2) use a command to specify the boot rom program for the next boot. 3) reboot the device to make the specified boot rom program take effect. Follow these steps to upgrade the boot rom program: to...

Page 545

1-7 identifying pluggable transceivers as pluggable transceivers are of various types and from different vendors, you can use the following commands to view the key parameters of the pluggable transceivers, including transceiver type, connector type, central wavelength of the laser sent, transfer di...

Page 547

1-9 figure 1-2 network diagram for remote scheduled automatic upgrade ftp client ftp server user telnet device 1.1.1.1/24 2.2.2.2/24 internet configuration procedure 1) configuration on the ftp server (note that configurations may vary with different types of servers) z set the access parameters for...

Page 549: Table of Contents

I table of contents 1 ntp configuration ·····································································································································1-1 ntp overview ··············································································································...

Page 551

1-2 z the clock stratum determines the accuracy, which ranges from 1 to 16. The stratum of a reference clock ranges from 1 to 15. The clock accuracy decreases as the stratum number increases. A stratum 16 clock is in the unsynchronized state. Z the local clock of an s5120-si ethernet switch cannot o...

Page 553

1-4 all ntp messages mentioned in this document refer to ntp clock synchronization messages. A clock synchronization message is encapsulated in a udp message, in the format shown in figure 1-2 . Figure 1-2 clock synchronization message format li vn mode stratum poll precision 0 7 15 23 31 root delay...

Page 555

1-6 figure 1-4 symmetric peers mode a device working in the symmetric active mode periodically sends clock synchronization messages, with the mode field in the message set to 1 (symmetric active); the device that receives this message automatically enters the symmetric passive mode and sends a reply...

Page 557

1-8 z client/server mode z symmetric mode z broadcast mode z multicast mode for the client/server mode or symmetric mode, you need to configure only clients or symmetric-active peers; for the broadcast or multicast mode, you need to configure both servers and clients. A single device can have a maxi...

Page 559

1-10 configuring ntp broadcast mode the broadcast server periodically sends ntp broadcast messages to the broadcast address 255.255.255.255. After receiving the messages, the device working in ntp broadcast client mode sends a reply and synchronizes its local clock. For devices working in the broadc...

Page 561

1-12 to do… use the command… remarks specify the source interface for ntp messages ntp-service source-interface interface-type interface-number required by default, no source interface is specified for ntp messages, and the system uses the ip address of the interface determined by the matching route...

Page 563

1-14 configuring ntp authentication the ntp authentication feature should be enabled for a system running ntp in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with ...

Page 566

1-17 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 0.00 ms peer dispersion: 0.00 ms reference time: 00:00:00.000 utc jan 1 1900 (00000000.00000000) # specify device a as the ntp server of device b so that device b is synchronized to device a. System-view [deviceb] ntp-service unicast-...

Page 568

1-19 nominal frequency: 100.0000 hz actual frequency: 100.0000 hz clock precision: 2^18 clock offset: -21.1982 ms root delay: 15.00 ms root dispersion: 775.15 ms peer dispersion: 34.29 ms reference time: 15:22:47.083 utc sep 19 2005 (c6d95647.153f7ced) as shown above, device c has been synchronized ...

Page 570

1-21 configuring ntp multicast mode network requirements as shown in figure 1-10 , switch c functions as the ntp server for multiple devices on different network segments and synchronizes the time among multiple devices. To realize this requirement, perform the following configurations: z switch c’s...

Page 572

1-23 system-view [switcha] interface vlan-interface 3 # configure switch a to work in the multicast client mode and receive multicast messages on vlan-interface 3. [switcha-vlan-interface3] ntp-service multicast-client # view the ntp status of switch a after clock synchronization. [switcha-vlan-inte...

Page 574

1-25 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured total associations : 1 configuring ntp broadcast mode with authentication network requirements as shown in figure 1-12 , switch c functions as the ntp server for multiple devices on different network segments and synchron...

Page 576: Table of Contents

I table of contents 1 snmp configuration··································································································································1-1 snmp overview·················································································································...

Page 578

1-2 z inform operation: the nms sends traps to other nmss through this operation. Snmp protocol version currently, snmp agents support three protocol versions: snmpv1, snmpv2c and snmpv3. Z snmpv1 uses community names for authentication, which defines the relationship between an snmp nms and an snmp...

Page 581: Configuring Snmp Logging

1-5 to do… use the command… remarks configure the maximum size of an snmp packet that can be received or sent by an snmp agent snmp-agent packet max-size byte-count optional 1,500 bytes by default. The validity of a usm user depends on the engine id of the snmp agent. If the engine id generated when...

Page 583

1-7 to enable an interface to send linkup/linkdown traps when its state changes, you need to enable the trap function of interface state changes on an interface and globally. Use the enable snmp trap updown command to enable the trap function on an interface, and use the snmp-agent trap enable [ sta...

Page 585

1-9 figure 1-3 network diagram for snmpv1/v2c configuration procedure 1) configuring the snmp agent # configure the ip address of the agent as 1.1.1.1/24 and make sure that there is a route between the agent and the nms. (the configuration procedure is omitted here) # configure the snmp basic inform...

Page 587

1-11 the configurations on the agent and the nms must match. 3) verify the configuration z after the above configuration, an snmp connection is established between the nms and the agent. The nms can get and configure the values of some parameters on the agent through mib nodes. Z execute the shutdow...

Page 589: Mib Style Configuration

2-1 2 mib style configuration when configuring mib style, go to these sections for information you are interested in: z setting the mib style z displaying and maintaining mib h3c private mib involves two styles, h3c compatible mib and h3c new mib. In the h3c compatible mib style, the device sysoid i...

Page 591: Rmon Configuration

1-1 1 rmon configuration when configuring rmon, go to these sections for information you are interested in: z rmon overview z configuring the rmon statistics function z configuring the rmon alarm function z displaying and maintaining rmon z rmon configuration example (logging information) z rmon con...

Page 593

1-3 if the value of a sampled alarm variable overpasses the same threshold multiple times, only the first one can cause an alarm event. That is, the rising alarm and falling alarm are alternate. Private alarm group the private alarm group calculates the values of alarm variables and compares the res...

Page 595

1-5 z the entry-number must be globally unique and cannot be used on another interface; otherwise, the operation fails. Z you can configure multiple history entries on one interface, but the values of the entry-number arguments must be different, and the values of the sampling-interval arguments mus...

Page 597

1-7 rmon configuration example (logging information) network requirements as shown in figure 1-1 , agent is connected to a configuration terminal through its console port and to server through ethernet cables. Create an entry in the rmon ethernet statistics table to gather statistics on gigabitether...

Page 599

1-9 [sysname-gigabitethernet1/0/1] quit # create an rmon alarm entry that when the delta sampling value of node 1.3.6.1.2.1.16.1.1.1.4.1 exceeds 100, event 1 is triggered to send traps; when the delta sampling value of the node is lower than 50, event 2 is triggered to send traps. [sysname] rmon eve...

Page 601

Ii backing up the startup configuration file······························································································2-7 deleting the startup configuration file for the next startup ··································································2-8 restoring the startup confi...

Page 603: Directory Operations

1-2 directory operations directory operations include creating/removing a directory, displaying the current working directory, displaying the specified directory or file information, and so on. Displaying directory information to do… use the command… remarks display directory or file information dir...

Page 605

1-4 copying a file to do… use the command… remarks copy a file copy fileurl-source fileurl-dest required available in user view moving a file to do… use the command… remarks move a file move fileurl-source fileurl-dest required available in user view deleting a file to do… use the command… remarks m...

Page 608

1-7 to do… use the command… remarks display data on the specified physical page display nandflash page-data page-value setting file system prompt modes the file system provides the following two prompt modes: z alert: in this mode, the system warns you about operations that may bring undesirable con...

Page 610: Configuration File Overview

2-1 2 configuration file management the device provides the configuration file management function with a user-friendly command line interface (cli) for you to manage the configuration files conveniently. This section covers these topics: z configuration file overview z saving the current configurat...

Page 612

2-3 z safe mode. This is the mode when you use the save command with the safely keyword. The mode saves the file more slowly but can retain the configuration file in the device even if the device reboots or the power fails during the process. The fast saving mode is suitable for environments where p...

Page 614

2-5 the number of saved configuration files has an upper limit. After the maximum number of files is saved, the system deletes the oldest files when the next configuration file is saved. Follow these steps to configure parameters for saving the current running configuration: to do… use the command… ...

Page 616

2-7 do not unplug and plug during configuration rollback (that is, the system is executing the configuration replace file command). In addition, configuration rollback may fail if one of the following situations is present (if a command cannot be rolled back, the system skips it and processes the ne...

Page 618

2-9 restoring the startup configuration file the restore function allows you to copy a configuration file from a tftp server to the device and specify the file as the startup configuration file to be used at the next system startup. Follow the step below to restore the startup configuration file to ...

Page 620: Ping

1-1 1 system maintaining and debugging when maintaining and debugging the system, go to these sections for information you are interested in: z system maintaining and debugging z ping z tracert z system debugging z ping and tracert configuration example system maintaining and debugging you can use t...

Page 622

1-3 record route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 reply from 1.1.2.2: bytes=56 sequence=2 ttl=254 time=1 ms record route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 reply from 1.1.2.2: bytes=56 sequence=3 ttl=254 time=1 ms record route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 reply from 1.1.2.2: bytes=56 sequence=4 tt...

Page 624: System Debugging

1-5 to do… use the command… remarks enable sending of icmp timeout packets ip ttl-expires enable required disabled by default. Enable sending of icmp destination unreachable packets ip unreachables enable required disabled by default. Display the routes from source to destination tracert [ -a source...

Page 626

1-7 figure 1-4 ping and tracert network diagram configuration procedure # use the ping command to display whether an available route exists between device a and device c. Ping 1.1.2.2 ping 1.1.2.2: 56 data bytes, press ctrl_c to break request time out request time out request time out request time o...

Page 628: Basic Configurations

1-1 1 basic configurations while performing basic configurations of the system, go to these sections for information you are interested in: z configuration display z configuring the device name z configuring the system clock z enabling/disabling the display of copyright information z configuring a b...

Page 630

1-3 displaying the system clock the system clock is decided by the commands clock datetime, clock timezone and clock summer-time. If these three commands are not configured, the display clock command displays the original system clock. If you combine these three commands in different ways, the syste...

Page 632

1-5 configuration system clock displayed by the display clock command example displayed. 2007/1/1 1:00 2007/8/8 2 display: 04:00:00 ss mon 01/01/2007 if the value of "date-time"±"zone-offset" is in the summer-time range, "date-time"±"zone-offset"+”su mmer-offset” is displayed. Configure: clock timez...

Page 634: Configuring Cli Hotkeys

1-7 to do… use the command… remarks configure the banner to be displayed at login (available for modem login users) header incoming text optional configure the banner to be displayed at login authentication header login text optional configure the authorization information before login header legal ...

Page 636

1-9 they can only use commands at their own, or lower, levels. All the commands are categorized into four levels, which are visit, monitor, system, and manage from low to high, and identified respectively by 0 through 3. Table 1-3 describes the levels of the commands. Table 1-3 default command level...

Page 638

1-11 configure the user privilege level under a user interface if the user interface authentication mode is scheme when a user logs in, and ssh publickey authentication type (only username is needed for this authentication type) is adopted, then the user privilege level is the user interface level; ...

Page 640

1-13 system-view [sysname] user-interface vty 0 15 [sysname-ui-vty1] authentication-mode password [sysname-ui-vty0-15] set authentication password cipher 123 [sysname-ui-vty0-15] user privilege level 2 by default, when users log in to the device through telnet, they can use the commands of level 0 a...

Page 642

1-15 during daily maintenance or when the system is operating abnormally, you need to display the running status of each functional module to locate the problem. Generally, you need to execute the corresponding display commands for each module, because each module has independent running information...

Page 644: Information Center Overview

1-1 1 information center configuration when configuring information center, go to these sections for information you are interested in: z information center configuration z configuring information center z displaying and maintaining information center z information center configuration examples info...

Page 646

1-3 table 1-1 severity description severity severity value description emergency 0 the system is unusable. Alert 1 action must be taken immediately critical 2 critical conditions error 3 error conditions warning 4 warning conditions notice 5 normal but significant condition informational 6 informati...

Page 648

1-5 log trap debug output destinati on modules allowed enabled/ disabled severity enabled/ disabled severity enabled/ disabled severity log host default (all modules) enabled informatio nal enabled debug disabled debug trap buffer default (all modules) disabled informatio nal enabled warning disable...

Page 650

1-7 z if the timestamp starts with a *, the information is debugging information source this field indicates the source of the information, such as the source ip address of the log sender. This field is optional and is displayed only when the output destination is the log host. Content this field pr...

Page 655

1-12 outputting system information to the snmp module the snmp module receives the trap information only, and discards the log and debugging information even if you have configured to output them to the snmp module. To monitor the device running status, trap information is usually sent to the snmp n...

Page 657

1-14 to do… use the command… remarks enter system view system-view — enable information center info-center enable optional enabled by default enable the log file feature info-center logfile enable optional enabled by default configure the frequency with which the log file is saved info-center logfil...

Page 660

1-17 [sysname] info-center source default channel loghost debug state off log state off trap state off as the default system configurations for different channels are different, you need to disable the output of log, trap, and debugging information of all modules on the specified channel (loghost in...

Page 663

1-20 figure 1-4 network diagram for sending log information to the console configuration procedure # enable information center. System-view [sysname] info-center enable # use channel console to output log information to the console (optional, console by default). [sysname] info-center console channe...

Page 665: Overview

1-1 1 mac address table configuration when configuring mac address tables, go to these sections for information you are interested in: z overview z configuring a mac address table z displaying and maintaining mac address table z mac address table configuration example currently, interfaces involved ...

Page 667

1-3 figure 1-1 forward frames using the mac address table configuring a mac address table the mac address table configuration tasks include: z configuring mac address table entries z configuring the aging timer for dynamic mac address entries z configuring the mac learning limit these configuration ...

Page 669

1-5 z the mac address aging timer takes effect globally on dynamic mac address entries (learned or administratively configured) only. Z in a stable network, when there has been no traffic activity for a long time, all the dynamic entries in the mac address table maintained by the device will be dele...

Page 672: Table of Contents

I table of contents 1 cluster management configuration·········································································································1-1 cluster management overview··············································································································...

Page 674

1-2 cluster. Different from a member device, its topology information has been collected by the management device but it has not been added to the cluster. Figure 1-1 network diagram for a cluster as shown in figure 1-1 , the device configured with a public ip address and performing the management f...

Page 676

1-4 z on the same device, except the first port, each ntdp-enabled port waits for a period of time and then forwards the ntdp topology collection request after its prior port forwards the ntdp topology collection request. Cluster management maintenance 1) adding a candidate device to a cluster you s...

Page 678

1-6 task remarks configuring ndp parameters optional enabling ntdp globally and for specific ports optional configuring ntdp parameters optional manually collecting topology information optional enabling the cluster function optional establishing a cluster required enabling management vlan auto-nego...

Page 680

1-8 the time for the receiving device to hold ndp packets cannot be shorter thanthe interval for sending ndp packets; otherwise, thendp tablemay become instable. Enabling ntdp globally and for specific ports for ntdp to work normally, you must enable ntdp both globally and on specific ports. Follow ...

Page 682

1-10 the device to be configured as the management device before establishing a cluster. Meanwhile, the ip addresses of the vlan interfaces of the management device and member devices cannot be in the same network segment as that of the cluster address pool; otherwise, the cluster cannot work normal...

Page 684

1-12 to do… use the command… remarks enter system view system-view — enter cluster view cluster — configure the destination mac address for cluster management protocol packets cluster-mac mac-address required the destination mac address is 0180-c200-000a by default. Configure the interval to send ma...

Page 688

1-16 configuring interaction for a cluster after establishing a cluster, you can configure ftp/tftp server, nm host and log host for the cluster on the management device. Z after you configure an ftp/tftp server for a cluster, the members in the cluster access the ftp/tftp server configured through ...

Page 692

1-20 [switcha-gigabitethernet1/0/1] ntdp enable [switcha-gigabitethernet1/0/1] quit # enable the cluster function. [switcha] cluster enable 2) configure the member device switch c as the configurations of the member devices are the same, the configuration procedure of switch c is omitted here. 3) co...

Page 694: Table of Contents

I table of contents 1 http configuration···································································································································1-1 http overview················································································································...

Page 696: Enabling The Http Service

1-2 enabling the http service the device can act as the http server and the users can access and control the device through the web function only after the http service is enabled. Follow these steps to enable the http service: to do… use the command… remarks enter system view system-view — enable t...

Page 698

1-4 if you open the ie on host b, and type http://10.2.1.1, you cannot open the web login page of device..

Page 700: Enabling The Https Service

2-2 associating the https service with an ssl server policy before enabling the https service, associate the https service with a created ssl server policy. Follow these steps to associate the https service with an ssl server policy: to do… use the command… remarks enter system view system-view — as...

Page 702: Https Configuration Example

2-4 to do… use the command… remarks enter system view system-view — configure the port number of the https service ip https port port-number optional by default, the port number of the https service is 443. If you execute the ip https port command for multiple times, the last configured port number ...

Page 704

2-6 # generate a local rsa key pair. [device] public-key local create rsa # retrieve a ca certificate. [device] pki retrieval-certificate ca domain 1 # request a local certificate for device. [device] pki request-certificate domain 1 # configure an ssl server policy myssl, specify pki domain 1 for i...

Page 706: Table of Contents

I table of contents 1 stack configuration···································································································································1-1 stack configuration overview································································································...

Page 708

1-2 establishing a stack an administrator can establish a stack as follows: z configure a private ip address pool for a stack and create the stack on the network device which is desired to be the master device. Z configure ports between the stack devices as stack ports. Z the master device automatic...

Page 710: Stack Configuration Example

1-4 to do… use the command… remarks enter system view system-view — configure the specified ports as stack ports stack stack-port stack-port-num port interface-list required by default, a port is not a stack port. After a device joins a stack and becomes a slave device of the stack, the prompt chang...

Page 712

1-6 switch type: h3c s5120 mac address: 000f-e200-1000 number : 1 role : slave sysname : stack_1. Switchb device type: h3c s5120 mac address: 000f-e200-1001 number : 2 role : slave sysname : stack_2. Devicec device type: h3c s5120 mac address: 000f-e200-1002 number : 3 role : slave sysname : stack_3...

Page 714: Poe Configuration

1-1 1 poe configuration when configuring poe, go to these sections for information you are interested in: z poe overview z poe configuration task list z enabling poe z detecting pds z configuring the poe power z configuring poe power management z configuring the poe monitoring function z configuring...

Page 716: Enabling Poe

1-3 task remarks them, so no configuration is required. Configuring poe profile optional configuring poe interface through poe profile applying poe profile optional upgrading pse processing software in service optional z before configure poe, make sure that the poe power supply and pse are operating...

Page 719

1-6 z 19 watts guard band is reserved for each poe interface on the device to prevent a pd from being powered off because of a sudden increase of the pd power. When the remaining power of the pse is lower than 19 watts and no priority is configured for the poe interface, the pse does not supply powe...

Page 722: Poe Configuration Example

1-9 upgrading pse processing software in service you can upgrade the pse processing software in service in either of the following two modes: z refresh mode this mode enables you to update the pse processing software without deleting it. Normally, you can upgrade the pse processing software in the r...

Page 724: Troubleshooting Poe

1-11 after the configuration takes effect, the ip telephones and ap devices are powered and can work normally. Troubleshooting poe symptom 1: setting the priority of a poe interface to critical fails. Analysis: z the guaranteed remaining power of the pse is lower than the maximum power of the poe in...

Page 726: Ip Source Guard Overview